CVE-2021-26077 - Broken authentication in Atlassian Connect Spring Boot (ACSB)


On this page

Still need help?

The Atlassian Community is here for you.

Ask the community


Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Spring Boot version 2.1.4 introduced a regression to query string hash validation in lifecycle endpoints (such as installation), this regression permits an attacker to send authenticated re-installation event to an app using JWTs intended for other endpoints. This is fixed in version 2.1.5.
Note: This is the re-surfacing of CVE-2021-26074 - Broken authentication in Atlassian Connect Spring Boot (ACSB) in 2.1.4

Affected versions

  • 1.1.0 - 2.1.2, 2.1.4

Fixed versions

  • 2.1.3, 2.1.5 and later


This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 9.1 => Critical severity

Exploitability Metrics

Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone

Scope Metric


Impact Metrics


Last modified on May 7, 2021

Was this helpful?

Provide feedback about this article
Powered by Confluence and Scroll Viewport.